|
Information on Email Virus Scanning
|
For the last few months, the Physics mail server has been running
anti-virus or malware scanning software that scans incoming and outgoing
email for viruses.
A summary of these scans for the period
- Starting — Sun, 5 Nov 2006, 13:00:02
- ending — Mon, 13 Nov 2006, 14:24:01
is included at the end of this message.
When the Physics email server ('benfranklin') detects an attached or
embedded virus, it sends a message -- included at the end of this message
&emdash; indicating that someone (or some computer) has sent through the Physics
email server an email which contains a virus. The offending email might be
from you or your computer or from someone or some computer sending an
offending email.
The server virus scanning software then takes action. Because the false
positive rate is very, very small, and the damage that could be done by a
single infected message is fairly high, the server software deletes the
virus laden email, and sends out a message -- included at the end of this
message -- to assist you in assessing the threat (e. g., a colleague keeps
sending you mail with an attachment and it never arrives because there is
a virus in the attachment).
In most instances no action on your part need be taken. However, should
you discover that you or your computer is the offender, you should assure
that the virus protection software on your computer is functioning and is
updated (all PCS released computers use McAfee VirusScan, latest version
8.0i (contact PCS should you not have this VirusScan software installed);
further, if you discover that an email was deleted, but is one you need,
you will need to contact the sender to apprise that person of the problem.
The Physics Computing Services staff will provide any help. Please submit
a 'physhelp'. To do so go to: internal.physics.umd.edu/cgi-bin/physhelp.pl
Example of an email indicating an offending virus laden email was deleted
Virus intercepted
WARNING!!! (from benfranklin.physics.umd.edu)
An email message
You were sent an email message from office@paypal.com
that contained a virus (HTML.Phishing.Pay-122).
This message has been deleted by the anti-virus scanner.
The message headers follow:
Received: from User ([68.35.66.187]) by mail.johnventura.com with Microsoft SMTPSVC(5.0.2195.6713);
Mon, 23 Oct 2006 19:01:54 -0500
Reply-To:
From: "PayPal"
Subject: You you have paid orders@dell.com $699.99 USD
Date: Mon, 23 Oct 2006 18:05:33 -0600
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: office@paypal.com
Message-ID:
X-OriginalArrivalTime: 24 Oct 2006 00:01:54.0977 (UTC) FILETIME=[9DB75910:01C6F6FF]
SUMMARY of Virus Analysis on Physics Email Server 'benfranklin':
- Starting Sun 5 Nov 2006, 13:00:02
- Ending Mon 13 Nov, 14:24:01
Malware caught by source and destination domains:
|
|
|
Total Counts for All Malware Caught
|
1314
|
|
From local domain, to local domain
|
32
|
|
From local domain, to non-local domain
|
0
|
|
From non-local domain, to local domain
|
1282
|
A total of 85 different species of malware were seen.
The local domain designation refers to anything ending in the campus
domain, anything else is deemed non-local or outside. As we should not be
relaying mail, all malware should fall into one of the categories of local
to local, local to outside, or outside to local.
Top Malware Caught, by total number of incidents
Most frequently caught malware
|
|
|
Ranking | Name of the malware | Total count
|
|
1 | HTML.Phishing.Bank-790 | 411
|
|
2 | HTML.Phishing.Bank-362 | 246
|
|
3 | HTML.Phishing.Bank-880 | 162
|
|
4 | HTML.Phishing.Pay-110 | 144
|
|
5 | Worm.SomeFool.Gen-2 | 29
|
|
6 | Worm.Mydoom.M | 24
|
|
7 | Worm.SomeFool.P | 20
|
|
8 | Exploit.HTML.IFrame | 20
|
|
9 | HTML.Phishing.Bank-49 | 20
|
|
10 | HTML.Phishing.Bank-388 | 14
|
